Splunk Updated SPLK-3001 Exam Questions and Answers by reid

 The role that should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard is the ess_analyst role. The ess_analyst role is a predefined role in Splunk Enterprise Security that grants the user the ability to view, edit, comment, and change the status and owner of notable events. The ess_analyst role also allows the user to access the dashboards, reports, and searches related to security analysis and investigation12. References = 1: Overview of roles and capabilities in Splunk Enterprise Security - Splunk Documentation - ess_analyst role. 2: Incident Review - Splunk Documentation - Triage notable events on the Incident Review dashboard.

 This is because ES is a resource-intensive application that requires a dedicated search head with sufficient CPU and memory. Installing ES on the existing search head may cause performance issues and conflicts with other applications. Deleting the non-CIM-compliant apps from the search head is not recommended, as they are mission-critical for the site. Increasing the number of CPUs and amount of memory on the search head may not be enough to handle the load of ES and other applications. Therefore, option B is the most suitable answer. You can find more information about installing ES on this web page1.

User and website watchlists are lists of users or websites that you want to monitor for suspicious or unwanted activity. You can configure user and website watchlists in Splunk Enterprise Security to generate notable events when a user on the watchlist accesses a website on the watchlist. The User Activity dashboard displays the notable events generated by the watchlists, as well as other user activity information such as top users, top websites, and top categories. Configuring user and website watchlists can help identify users accessing inappropriate web sites, as it allows you to specify which users and websites are of interest and alert you when they are accessed. References =

• Configure user and website watchlists in Splunk Enterprise Security
• User Activity dashboard in Splunk Enterprise Security

The risk framework in Splunk Enterprise Security adds a numeric score to an object (user, server or other type) to indicate increased risk. The numeric score is calculated by summing up the risk scores of all the risk modifiers that are associated with the object. A risk modifier is an event that modifies the risk of an object, such as a malware infection, a failed login, or a suspicious activity. The risk score of a risk modifier is determined by the correlation search that triggers the risk analysis response action, which can be customized or created by the user12. The numeric score of an object reflects its overall risk level and can be used to prioritize investigation and response actions3. References = 1: Risk Analysis framework in Splunk ES - Splunk Documentation - Terminology for the Risk Analysis framework. 2: Risk Analysis framework in Splunk ES - Splunk Documentation - Write a correlation search. 3: About risk-based alerting in Splunk Enterprise Security - Splunk Documentation.